A combination of vulnerabilities in D-Link’s DIR-300 and DIR-600 routers could allow an attacker to inject arbitrary shell commands and ultimately compromise the device, according to German security researcher Michael Messner who publicly disclosed the flaw on his personal blog Monday.
The root of the flaw lies in the routers’ missing access restrictions and missing input validation in the command parameter. Messner claims even unauthenticated users can target routers, trick them into landing on their own website and then execute malicious commands by injecting scripts.
“If you combine the plaintext credential vulnerability with the unauthenticated OS command injection vulnerability you will … extract the admin password from every vulnerable device,” Messner writes.
According to the blog entry, Messner first discovered the vulnerabilities at the tail end of 2012 and forwarded them to D-Link who insisted the issue was relegated to browsers and that the company would not publish a fix. Messner elected to provide more information to D-Link more than a week and a half ago, on January 25. Having still not heard back yet, Messner saw fit to publicly releasing the attack details earlier this week.
A post by The H-Security claims that all current D-Link firmware versions (Version 2.13, released November 7, 2012 and Version 2.14b01, released January 22, 2013) are affected by the flaw and suggests – at least until D-Link issues a fix – to “decommission the affected browsers.”
D-Link did not respond to e-mail requests for comment Wednesday.